PowerShell is an advanced terminal for windows. [PowerShell = cmd + cmdlet] Alias makes cmd commands works same on PowerShell as well. PowerShell contains a built-in IDE called Windows PowerShell Integrated Scripting Environment (ISE). The ISE is a host application for Windows PowerShell that enables us to run commands, write, test, and debug scripts in a single Windows- based graphical user interface.
The default execution policy in Powershell is “Restricted”, which means the system will neither load PowerShell configuration files nor run PowerShell scripts. For the purposes of this module, we will need to set an “Unrestricted” execution policy on our Windows client machine. Externals tools like Powerview.ps1, Powercat, Nishang produce problem on unrestricted execution policy. Get the current state of the ExecutionPolicy configuration by Get-ExecutionPolicy -list.
Open cmd.exe: C:\\Users\\darkoid\\Desktop>**powershell -ep -bypass**
PowerShell Reverse Shell (we will use netcat on kali & powershell on windows)
PowerShell Bind Shell (we will use netcat on kali & powershell on windows)
PowerShell Transcription Logs capture the input and output of Windows PowerShell commands, allowing an analyst to review what happened when. Typically, PowerShell Transcription can be enabled by Group Policy, but another method to turn on this logging is by configuring the Windows Registry.
Typically you'll use Event Viewer to view event logs locally on a Windows system but for painless experience we can use FullEventLogView to look through transcript files in an ordered manner.
- Screenshots of Event Viewer and FullEventLogView
Turn on PowerShell Transcription Logging for a local host in an Administrator command prompt:
reg add HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableTranscripting /t REG_DWORD /d 0x1 /f
reg add HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v OutputDirectory /t REG_SZ /d C:/ /f
reg add HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription /v EnableInvocationHeader /t REG_DWORD /d 0x1 /f